CISM Certified Information Security Manager Practice Test Set 5

When performing a quantitative risk analysis, which of the following is MOST important to estimate
the potential loss?


Options are :

  • Evaluate productivity losses
  • Measure the probability of occurrence of each threat
  • Calculate the value of the information or asset (Correct)
  • Assess the impact of confidential data disclosure

Answer : Calculate the value of the information or asset

The recovery point objective (RPO) requires which of the following?


Options are :

  • System restoration
  • Disaster declaration
  • Before-image restoration (Correct)
  • After-image processing

Answer : Before-image restoration

CISM Information Security Program Management Practice Exam Set 1

Which of the following is the MOST usable deliverable of an information security risk analysis?


Options are :

  • Business impact analysis (BIA) report
  • Assignment of risks to process owners
  • List of action items to mitigate risk (Correct)
  • Quantification of organizational risk

Answer : List of action items to mitigate risk

In assessing risk, it is MOST essential to:


Options are :

  • use benchmarking data from similar organizations
  • focus primarily on threats and recent business losses.
  • provide equal coverage for all asset types
  • consider both monetary value and likelihood of loss. (Correct)

Answer : consider both monetary value and likelihood of loss.

Which of the following risks would BEST be assessed using qualitative risk assessment
techniques?


Options are :

  • Theft of purchased software
  • Permanent decline in customer confidence (Correct)
  • Power outage lasting 24 hours
  • Temporary loss of e-mail due to a virus attack

Answer : Permanent decline in customer confidence

CISM Information Security Program Management Test

Which of the following would be MOST useful in developing a series of recovery time objectives
(RTOs)?


Options are :

  • Regression analysis
  • Gap analysis
  • Business impact analysis (Correct)
  • Risk analysis

Answer : Business impact analysis

In performing a risk assessment on the impact of losing a server, the value of the server should be
calculated using the:


Options are :

  • annualized loss expectancy (ALE).
  • cost of the software stored.
  • original cost to acquire
  • cost to obtain a replacement (Correct)

Answer : cost to obtain a replacement

An information security manager has been assigned to implement more restrictive preventive
controls. By doing so, the net effect will be to PRIMARILY reduce the:


Options are :

  • threat.
  • probability.
  • vulnerability. (Correct)
  • loss.

Answer : vulnerability.

CISM Information Security Governance Certification

The PRIMARY objective of a risk management program is to:


Options are :

  • minimize residual risk (Correct)
  • minimize inherent risk
  • eliminate business risk.
  • implement effective controls

Answer : minimize residual risk

Which of the following results from the risk assessment process would BEST assist risk
management decision making?


Options are :

  • Control risk
  • Inherent risk
  • Risk exposure
  • Residual risk (Correct)

Answer : Residual risk

During which phase of development is it MOST appropriate to begin assessing the risk of a new
application system?


Options are :

  • Design
  • Development
  • Feasibility (Correct)
  • Testing

Answer : Feasibility

Which of the following will BEST prevent external security attacks?


Options are :

  • Static IP addressing
  • Background checks for temporary employees
  • Network address translation (Correct)
  • Securing and analyzing system access logs

Answer : Network address translation

Which of the following is the PRIMARY reason for implementing a risk management program?


Options are :

  • Allows the organization to eliminate risk
  • Satisfies audit and regulatory requirements
  • Assists in incrementing the return on investment (ROD
  • Is a necessary part of management's due diligence (Correct)

Answer : Is a necessary part of management's due diligence

Data owners are PRIMARILY responsible for establishing risk mitigation methods to address
which of the following areas?


Options are :

  • Antivirus controls
  • Platform security
  • Entitlement changes (Correct)
  • Intrusion detection

Answer : Entitlement changes

CISM Information Security Governance Certification Practice

Quantitative risk analysis is MOST appropriate when assessment data:


Options are :

  • do not contain specific details
  • include customer perceptions.
  • contain percentage estimates (Correct)
  • contain subjective information.

Answer : contain percentage estimates

A successful risk management program should lead to:


Options are :

  • containment of losses to an annual budgeted amount.
  • elimination or transference of all organizational risks.
  • optimization of risk reduction efforts against cost (Correct)
  • identification and removal of all man-made threats.

Answer : optimization of risk reduction efforts against cost

Which of the following risks would BEST be assessed using quantitative risk assessment
techniques?


Options are :

  • Customer data stolen
  • A web site defaced by hackers
  • An electrical power outage (Correct)
  • Loss of the software development team

Answer : An electrical power outage

CISM Information Risk Management Certification

Which of the following attacks is BEST mitigated by utilizing strong passwords?


Options are :

  • buffer overflow
  • Man-in-the-middle attack
  • Remote buffer overflow
  • Brute force attack (Correct)

Answer : Brute force attack

The decision as to whether a risk has been reduced to an acceptable level should be determined
by:


Options are :

  • information security requirements
  • international standards.
  • information systems requirements
  • organizational requirements. (Correct)

Answer : organizational requirements.

Which of the following is the MOST appropriate use of gap analysis?


Options are :

  • Demonstrating the relationship between controls
  • Evaluating a business impact analysis (BIA)
  • Developing a balanced business scorecard
  • Measuring current state vs. desired future state (Correct)

Answer : Measuring current state vs. desired future state

CISM Information Risk Management Certification Practice Test

The MOST effective way to incorporate risk management practices into existing production
systems is through:


Options are :

  • policy development.
  • awareness training.
  • regular monitoring.
  • change management. (Correct)

Answer : change management.

Which of the following BEST describes the scope of risk analysis?


Options are :

  • Key systems and infrastructure
  • Systems subject to regulatory compliance
  • Organizational activities (Correct)
  • Key financial systems

Answer : Organizational activities

When performing an information risk analysis, an information security manager should FIRST:


Options are :

  • evaluate the risks to the assets
  • categorize the assets.
  • take an asset inventory (Correct)
  • establish the ownership of assets

Answer : take an asset inventory

CISM Information Security Program Management Practice Exam Set 1

Risk acceptance is a component of which of the following?


Options are :

  • Monitoring
  • Evaluation
  • Mitigation (Correct)
  • Assessment

Answer : Mitigation

Before conducting a formal risk assessment of an organization's information resources, an
information security manager should FIRST:


Options are :

  • determine the financial impact if threats materialize
  • review available sources of risk information
  • map the major threats to business objectives (Correct)
  • identify the value of the critical assets

Answer : map the major threats to business objectives

When the computer incident response team (CIRT) finds clear evidence that a hacker has
penetrated the corporate network and modified customer information, an information security
manager should FIRST notify:


Options are :

  • the information security steering committee
  • regulatory- agencies overseeing privacy.
  • customers who may be impacted
  • data owners who may be impacted (Correct)

Answer : data owners who may be impacted

CISM Information Security Governance Practice Test Set 3

A risk analysis should


Options are :

  • give more weight to the likelihood vs. the size of the loss.
  • assume an equal degree of protection for all assets
  • include a benchmark of similar companies in its scope.
  • address the potential size and likelihood of loss. (Correct)

Answer : address the potential size and likelihood of loss.

The service level agreement (SLA) for an outsourced IT function does not reflect an adequate
level of protection. In this situation an information security manager should:


Options are :

  • determine the current level of security (Correct)
  • recommend not renewing the contract upon expiration
  • recommend the immediate termination of the contract
  • ensure the provider is made liable for losses.

Answer : determine the current level of security

Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished
through the use of which of the following?


Options are :

  • Bar charts
  • Heat charts (Correct)
  • Venn diagrams
  • Tree diagrams

Answer : Heat charts

CISM Information Risk Management Certification Practice

The impact of losing frame relay network connectivity for 18-24 hours should be calculated using
the:


Options are :

  • aggregate compensation of all affected business users.
  • financial losses incurred by affected business units (Correct)
  • value of the data transmitted over the network.
  • hourly billing rate charged by the carrier.

Answer : financial losses incurred by affected business units

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions